Google Cloud SQL SSL fails peer certificate validation

孤街醉人 提交于 2019-12-19 10:04:52

问题


I have an issue using MySQL on PHP 5.6, and after three days of debugging PHP, OpenSSL, MySQLnd Drivers on PHP and trying out the mysql_client on an Ubuntu 14.04 machine, I have come to a conclusion: Google Cloud SQL SSL certificates will not work on PHP 5.6 and above.

For a start, the Google Cloud is a great service, and modern cryptography is enforced throughout the Google ecosystem. However, I couldn't use it because of one little problem: Google Cloud SQL SSL Server certificates have impossible common names.

Google Cloud SQL Server (or peer) certificates have a Common Name (CN) that looks something like:

  CN=project-name:instance-id

To make matters worse, starting from PHP 5.6, all encrypted client streams will go through mandatory peer certificate validation. (Link: OpenSSL changes in PHP 5.6.x). I use the PHP Data Objects (PDO) extension, which uses the native driver MySQLnd to handle all the MySQL business. This uses the native PHP streams to handle those connections.

I have been looking through the MySQLnd source code on PHP (Link: MYSQLnd Driver Code on GitHub), MySQLnd configuration options to try and disable the SSL peer verification code on this particular MySQLND. To no avail.

Therefore, what should I do if I need to use SSL for MySQL connections on PHP 5.6?

Your response is greatly appreciated!


回答1:


Try connecting through the proxy if you have second generation sql, you might be able to connect pdo via the proxy with 127.0.0.1: https://cloud.google.com/sql/docs/compute-engine-access#gce-connect-proxy




回答2:


Assuming you can convince MySQL that the hostname is should verify is in fact project-name:instance-id then I would have thought the hostname validation ought to succeed (though I agree that cert doesn't look great).

I tried the following from my Mac OS X workstation and it appeared to succeed, at least when using the mysql binary (I didn't try via PHP).

First I added a hosts entry on my machine included the colon as part of the name:

1.2.3.4   project-name:instance-id

After doing so I was able to connect successfully with the mysql (5.6.32) installed on my machine:

mysql -uroot -h "project-name:instance-id" --password \
    --ssl \
    --ssl-ca ~/Downloads/server-ca.pem \
    --ssl-cert ~/Downloads/client-cert.pem \
    --ssl-key ~/Downloads/client-key.pem \
    --ssl-verify-server-cert

(When I ran that same command with the IP address instead, I received ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure)



来源:https://stackoverflow.com/questions/29260464/google-cloud-sql-ssl-fails-peer-certificate-validation

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!